Archive

Here is some of the recent coverage from the last couple of months or so on topics relevant to content on my blog, presentations and speaking engagements. No particular order or priority and I haven’t kept a good record, unfortunately.

[I often get a bunch of guff as to why I make these lists: ego, horn-tooting, self-aggrandizement. I wish I thought I were that important. 😉 The real reason is that it helps me keep track of useful stuff focused not only on my participation, but that of the rest of the blogosphere.]

Here is some of the recent coverage from the last month or so on topics relevant to content on my blog, presentations and speaking engagements. No particular order or priority and I haven’t kept a good record, unfortunately.

Geva and James were kind (foolish?) enough to invite me onto their Overcast podcast today:

In this podcast we talk to Christopher Hoff, renowned information security expert, and especially security in the context of virtualization and cloud computing. Chris is the author of the Rational Survivability blog, and can be followed as @Beaker on Twitter.Show Notes:

Based upon feedback from attendees at Blackhat, my talk, "The Four Horsemen of the
Virtualization Security Apocalypse," went over well and I really had a lot of
fun delivering it. It’s had a TON of coverage.

Despite the positive feedback from folks, it seems the foreboding narrative of the apocalypse has carried over into the real world due to a rather unfortunate journalistic misinterpretation of the facts.

It’s only fair to state that I have been critical in the past of others in our line of work who have complained of their inability to control the output of their direct interviews with the press and analysts as misquotes and misunderstandings arise.

Perhaps this is a little karmic payback for my outspokenness, as after my talk at Blackhat, I have now enjoyed the fruits of journalistic distortion firsthand. It’s important to note that this was not the result of a direct interview, but rather the inaccurate reporting of a reporter sitting in the audience of my talk. I was never contacted with questions or asked for clarification or review.

Many of the points I made in my presentation were reflected upon poorly and my perspective butchered, but one specific item is causing me some serious grief in a professional capacity. It cast a rather crappy pall on the rest of my Blackhat and Defcon experience (more on that later.)

One of the "Four Horsemen" which represents a critical issue in virtualization security is that of the hidden costs involved in virtualizing security. The point I made, and the language I used to consistently describe it multiple times appears below:

To be perfectly clear, what I obviously said was that "virtualizing security will not save you money, it will cost you more."

What Ellen Messmer reported in her Network World article was that I said "Virtualization will not save you money, it will cost you more.”

Now, this may not seem like much of a difference, but it’s a profoundly impacting dissimilarity.

It’s a dangerous rephrase that has now caused significant pain for me that I’m going to have to deal with once I return from vacation. It’s been picked up and re-printed/adapted so many times without validation that I can’t keep count any longer.

You see, I work as the security architect for the division of a company who is maniacally focused on designing, deploying and supporting heavily-virtualized realtime infrastructure for our customers. One of the (obvious) value propositions of virtualization/RTI is cost savings/reduction/avoidance which I specifically referenced during my presentation as a well-established fact and reasonable motivation for virtualization.

You can probably imagine the surprise of folks when they read Ellen’s article which is written in a way that directly contradicts our corporate messaging and the value proposition offered to our clients. It reflects rather poorly on me and my company.

And just to be clear, my scorn was not directed at the "network industry" or the "virtualization industry" as reported in the article; the context of my entire talk was the security industry, a point sorely missed.

This article reads like the output result of a bad game of "telephone."

I intend to contact Ellen Messmer and ask for a retraction as well as corrections of multiple other mistakes in the article, but as we all know, there’s no real retraction on the Internet. All I can offer is my presentation, the video recording of it and the recollection of the 500+ others that were in the audience when I presented (including numerous other reporters.)

The only other thing left to do is to sheepishly admit that despite the fact that this was not an interview that I or anyone else could control or influence for correctness, Joanna Rutkowska was essentially correct in her assertion during our last debate that you cannot control the press, despite best efforts.

Even though I’ve never had a problem of this degree in the almost 15 years of doing this sort of thing, I humbly submit to her on that point.

I delivered the closing presentation of the InfoWorld Executive Virtualization Forum in San Francisco on Monday. The title of my presentation, which I will upload soon, was "
Addressing Security Concerns in Virtual Environments."

The conference was a good mix of panels and presentations giving some excellent perspective to senior-level managers and executives on virtualization and its impact.

The night before was obviously the Super Bowl and InfoWorld hosted a get-together complete with beer, snacks and a big screen for us to watch the Big Game. Most of the InfoWorld staff are out of the MA area, so except for a few Giants fans, it was a room packed with Pats fanatics.

So, when it was my turn to speak, I slipped a borrowed Randy Moss jersey over my silk shirt and took the stage to stares of bewilderment and confusion.

I explained my costume and expressed my disappointment with the team’s performance in one fell swoop:

You may be wondering why I’m up here presenting in my beloved Patriot’s uniform. Well, this *is* a security presentation, so I thought I could give you no more spectacular illustration of what happens when you fail to execute on a defensive strategy than this (pointing to the jersey.)

Further, I find it completely amusing and apropos to be standing here in a virtualization conference talking about security *last* in the order of things because that’s exactly the problem I want to talk about…

The crowd seemed to enjoy those couple of opening shots and the rest went quite well — I try to make stabs at involving the audience. I always gauge the success of a show by how many people come up and talk to me at the podium and afterwards. By all accounts, it rocked since I spent the next 45 minutes talking to the 30+ folks that engaged me between the podium and the beer stand.